hwalker928
commented
2 years ago Could be similar to #3439
Open VibeGAMESNL opened 2 years ago
hwalker928
commented
2 years ago Could be similar to #3439
DaneEveritt
commented
2 years ago I believe this is intentional behavior since we use short-lived JWT's to authenticate users, rather than checking with the panel on every request made. It should technically also try to revoke the token immediately, but that isn't always guaranteed so I'll leave this open until I have time to look closer.
DaneEveritt
commented
2 years ago Looked again, the SFTP server doesn't use JWTs to authenticate users, it uses the standard password flows.
I can look into updating things to re-verify users after a set period of time, but there probably isn't a great way to handle the user deletion issue without hooking into the other revocation flows and terminating the open connection when they're hit. The only other way I can think of handling things is making an API request on every action (basically just a DoS vector at that point), or connecting the Wings instances to the database, which I also don't want to do.
TekExplorer
commented
2 years ago Couldn't you have the panel notify wings on revoking access? Or is it not that simple?
DaneEveritt
commented
2 years ago It can, yes.
Current Behavior
When you delete a subuser while he still has an open SFTP session, he can still view, edit or delete files.
Expected Behavior
When you delete a subuser any active SFTP sessions of this user should be closed.
Steps to Reproduce
Panel Version
1.7.0
Wings Version
1.6.1
Games and/or Eggs Affected
No response
Docker Image
No response
Error Logs
No response
Is there an existing issue for this?